38 Pull requests merged by 18 people

• Update language display names

  #14282 merged Sep 29, 2023

• C#: Also run extractor unit tests on a windows runner.

  #14333 merged Sep 29, 2023

• Python: promote nosql query

  #14070 merged Sep 29, 2023

• Java: Fix CFG for case rule statements.

  #14336 merged Sep 29, 2023

• Java: Framework mode source candidates

  #14197 merged Sep 28, 2023

• Kotlin: Handle IrExternalPackageFragment properly for more external entities

  #14334 merged Sep 28, 2023

• Kotlin: Differentiate 2 error messages

  #14338 merged Sep 28, 2023

• Python: Improve computation of regex fragments inside string parts

  #14317 merged Sep 28, 2023

• C#: Fix parentheses in model editor queries

  #14330 merged Sep 28, 2023

• Shared: add in/out barriers with flow state

  #14305 merged Sep 28, 2023

• All languages: Use shared FileSystem library and minor regex performance improvement.

  #14321 merged Sep 28, 2023

• Java: Add VS Code model editor queries

  #14199 merged Sep 28, 2023

• C#: Add VS Code model editor queries

  #14200 merged Sep 28, 2023

• Post-release preparation for codeql-cli-2.14.6

  #14271 merged Sep 27, 2023

• C#: Disable unit tests (need to fix line ending issues).

  #14327 merged Sep 27, 2023

• Shared: Clean up `NodeInfo` in shared extractor

  #14326 merged Sep 27, 2023

• Ruby: Improve performance of flow through (hash) splats

  #14229 merged Sep 27, 2023

• Kotlin: Claim to support Kotlin 2

  #14323 merged Sep 27, 2023

• C#: Base a few more query tests on stubs.

  #14319 merged Sep 27, 2023

• C#: Add a couple of stub generator unit tests

  #14325 merged Sep 27, 2023

• Ruby: More splat flow (alternative)

  #14090 merged Sep 27, 2023

• C#: Add readonly modifier to fields and constant values.

  #14318 merged Sep 27, 2023

• update go tools version from v0.11.1 to v0.13.0

  #14314 merged Sep 26, 2023

• Swift: Port regex mode flag fix from Python to Swift

  #14209 merged Sep 26, 2023

• Java: Add support for additional nodes, read steps, and store steps for QL models and model ThreadLocal.initialValue

  #14297 merged Sep 26, 2023

• C#: Rely on CLI to cleanup scratch dir

  #14315 merged Sep 26, 2023

• C#: Add stub generator integration test

  #14310 merged Sep 26, 2023

• Release automodel queries version 0.0.3

  #14246 merged Sep 26, 2023

• Update CSV framework coverage reports

  #14313 merged Sep 26, 2023

• C#: Expose generated files in `DependencyManager`

  #14311 merged Sep 26, 2023

• C#: Add query for Insecure Direct Object Reference

  #13882 merged Sep 25, 2023

• C#: Improve lambda dispatch using type flow

  #14295 merged Sep 25, 2023

• C#: Minor improvements to the ExternalApi implementation.

  #14272 merged Sep 25, 2023

• C#: Make `GenerateStubs` return list of generated output

  #14309 merged Sep 25, 2023

• Python: switch regex location tests to inline expectations

  #14307 merged Sep 25, 2023

• C#: Remove legacy runtime packages from extraction references

  #14306 merged Sep 25, 2023

• Kotlin: Extract LighterAST comments as well as PSI comments

  #14220 merged Sep 25, 2023

• Dataflow: Make use of defaults for language-specific hooks.

  #14299 merged Sep 25, 2023

16 Pull requests opened by 14 people

• JS: extend DatabaseAccess by `TypeORM` and `sqlite` packages

  #14302 opened Sep 23, 2023

• Ruby: Implement `mustFlow`

  #14303 opened Sep 23, 2023

• Ruby: Add a query for CSRF protection not enabled

  #14308 opened Sep 25, 2023

• Swift: Add sinks for sqlite3 and SQLite.swift to swift/cleartext-storage-database

  #14312 opened Sep 25, 2023

• Add Java buildless diagnostic expectations

  #14322 opened Sep 26, 2023

• Temporarily run the standalone extractor instead of autobuilding

  #14324 opened Sep 27, 2023

• Swift: Model .description, .debugDescription more generally

  #14328 opened Sep 27, 2023

• Swift: Update summary queries

  #14329 opened Sep 27, 2023

• C++: use in/out barriers with flow state

  #14331 opened Sep 28, 2023

• CPP: Add reverse bounds in range analysis for InvalidPointerDeref

  #14335 opened Sep 28, 2023

• C++: Remove getLocation from Container.

  #14337 opened Sep 28, 2023

• JS/PY/RB/Java: escape unicode chars in overly-large-range

  #14339 opened Sep 28, 2023

• Python - Add support for RestFramework ModelViewSet functions

  #14341 opened Sep 29, 2023

• JS: Add Permissive CORS query (CWE-942)

  #14342 opened Sep 29, 2023

• [Draft] C#: Add XSS flow steps for View calls refering to Razor pages

  #14343 opened Sep 29, 2023

• ATM/JS: Remove test workflow

  #14345 opened Sep 29, 2023

3 Issues closed by 3 people

• Java: SwitchCase expressions should implicitly break rather than fall through

  #14332 closed Sep 29, 2023

• CodeQL v2.14.5 failed to extract Lombok files.

  #14316 closed Sep 27, 2023

• Extraction is broken with Swift 5.9 toolchain

  #14300 closed Sep 25, 2023

33 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Go: New File System Access Sinks

  #14064 commented on Sep 29, 2023 • 33 new comments

• JS: provide command execution sinks for execa package

  #14294 commented on Sep 25, 2023 • 13 new comments

• Go: Decompression Bombs

  #13553 commented on Sep 29, 2023 • 11 new comments

• Data flow: Performance improvements

  #14255 commented on Sep 29, 2023 • 11 new comments

• Java: Convert `SensitiveApi.qll` to use Models-as-Data

  #13978 commented on Sep 29, 2023 • 8 new comments

• Go: Improved JWT query, JWT decoding without verification

  #14075 commented on Sep 28, 2023 • 8 new comments

• 16 cryptography models libraries and queries migration

  #14289 commented on Sep 28, 2023 • 7 new comments

• CPP: Fix some use after free FPs.

  #14275 commented on Sep 29, 2023 • 6 new comments

• Swift: dataflow for `for-in` loops

  #13909 commented on Sep 28, 2023 • 5 new comments

• Go: fasthttp

  #14123 commented on Sep 29, 2023 • 5 new comments

• go 1.21 support

  #13992 commented on Sep 26, 2023 • 4 new comments

• C++: Update for changes in frontend.

  #14135 commented on Sep 28, 2023 • 4 new comments

• Ruby: Port `UrlConcatenation.qll` from JS

  #14180 commented on Sep 25, 2023 • 4 new comments

• Java: Convert implementations of `LocalUserInput` to Models-as-Data

  #14127 commented on Sep 29, 2023 • 3 new comments

• CodeQL is missing an inline mechanism to suppress warnings

  #11427 commented on Sep 26, 2023 • 2 new comments

• Java: Add Weak Randomness Query (CWE-330/338)

  #13608 commented on Sep 29, 2023 • 2 new comments

• Java: Should `FunctionalExpr` be a non-extending subtype of `ClassInstanceExpr`?

  #14277 commented on Sep 26, 2023 • 1 new comment

• Ruby: add seperate additional steps between `YAML.parse*` methods and `to_ruby`

  #13431 commented on Sep 25, 2023 • 1 new comment

• Python: Add unsafe deserialization sinks (CWE-502)

  #13781 commented on Sep 28, 2023 • 1 new comment

• Java: Add new Apache CXF generated models

  #14030 commented on Sep 29, 2023 • 1 new comment

• Swift: Flow through OpenExistentialExpr

  #14113 commented on Sep 27, 2023 • 1 new comment

• Python: Allow namespace packages

  #14114 commented on Sep 29, 2023 • 1 new comment

• Swift: CFG and data flow for nil coalescing operator

  #14224 commented on Sep 29, 2023 • 1 new comment

• Java: Introduce a class of dataflow nodes for the threat modeling.

  #14257 commented on Sep 29, 2023 • 1 new comment

• Enable GoKit module into the default list

  #14276 commented on Sep 29, 2023 • 1 new comment

• JS: Dynamic import as code injection sink

  #14293 commented on Sep 28, 2023 • 1 new comment

• Preserving taint through arithmetic operations in Java

  #14233 commented on Sep 27, 2023 • 0 new comments

• Java: Add support for data flow through thrown exceptions.

  #9914 commented on Sep 25, 2023 • 0 new comments

• Java: Decompression Bombs

  #13555 commented on Sep 29, 2023 • 0 new comments

• Go: Improve incorrect integer conversion

  #13949 commented on Sep 28, 2023 • 0 new comments

• Swift: use shared capture flow library

  #14078 commented on Sep 25, 2023 • 0 new comments

• Go: Better determine Go versions in Go 1.21+

  #14194 commented on Sep 26, 2023 • 0 new comments

• Lua: Use --property for specifying properties to dotnet.

  #14298 commented on Sep 25, 2023 • 0 new comments